1

If I connect to a server with RDP and share my clipboard with the server, are there any security risks of my clipboard being availble to other people logging onto the same server?

e.g.

  1. I have a password saved in my local clipboard
  2. I connect to the server "example.com" using Remote Desktop, username "administrator".
  3. My local password is now available to paste into the remote desktop session.
  4. I close the RD window without logging off.
  5. Another user logs on via RDP without clipboard sharing enabled or on the actual machine itself as "administrator".
  6. Under normal conditions is my password available for the other user to paste?

My above question is assuming there is nothing installed on the server that will grab clipboard entries and save them, except for what is supplied with Windows as standard. I realise that if I connected to an untrusted or compromised server with clipboard sharing enabled all bets are off. I am asking whether Windows has the built in mechanism to clear the shared clipboard upon disconnection.

1 Answers1

2

I just tried it using the regular RDP client to a Windows Server guest. With clipboard off, it is "cleared" when a user connects to the guest. With clipboard sharing enabled on connection, it uses the contents of the connecting user's clipboard.

So, there is no security risk in allowing shared clipboards.

Nathan C
  • 14,901
  • 4
  • 42
  • 62
  • 2
    "Who copies passwords to their clipboard? Honestly?!" - Austin Powers – TheCleaner Nov 08 '13 at 14:09
  • Well I wouldn't say there's *no* security risk... if it's in memory somewhere then another administrative user on the machine at the same time can dump it. And OP won't know who because he's apparently sharing the Administrator account among multiple people. :) – Ryan Ries Nov 08 '13 at 14:14
  • @TheCleaner The password was an example to represent a worst case scenario. –  Nov 08 '13 at 15:00
  • @RyanRies A hypothetical scenario as I was curious. :-) I know if the users were separate then they would also have separate clipboards so it wouldn't demonstrate my point. –  Nov 08 '13 at 15:03
  • @TheCleaner Not necessarily a bad thing in itself having a password in the clipboard: http://security.stackexchange.com/a/33429/8340 Better than having rememerable passwords where they are all the same - copying and pasting from a password manager where they are all random would be arguably more secure. Obviously you have to remember to clear it before RDP. ;-) –  Nov 08 '13 at 15:13
  • I was just messing with you...hence the Austin P reference. I don't believe in passwords. Information and Data freedom for all! viva la data anarchy! – TheCleaner Nov 08 '13 at 15:17
  • @TheCleaner Sorry, half a sleep here, didn't see that bit! –  Nov 08 '13 at 15:28
  • Nathan C can you confirm if the same is true if the second user physically logs in? (sorry I don't have access to any physical servers here) –  Nov 08 '13 at 15:29
  • @SilverlightFox Yes, console login is the same thing. When you physically log in, you're using the "Console" session. While it's possible to connect to the "remote" user from the console, the clipboard is still cleared. – Nathan C Nov 08 '13 at 18:46